CCMv4 in OSCAL Format

[aj-stein-nist]

Hello, I hope this is a good place to report this. Given the emergence of useful continuous audit metrics like these, and their relationship to CCMv4 controls, is there any work on the roadmap (for this project team or more generally in CSA) to release a draft or finalized copy of the CCMv4 controls in OSCAL data formats (one or all of OSCAL JSON, XML, or YAML)?

The NIST OSCAL Team would be willing to help where we can to assist this effort, where we can, to move forward this effort. Please reach out to via Gitter, email at [email protected], or any other medium we recommend on our website. Thanks!

[pritikin]

We fully agree with the goal. Where we needed to ref the CCMv4 controls we added them to our own yaml file - which was a bit of a hack.

Our understanding is the CCMv4 group will publish a full set. @apannetrat might have timeline info.

[aj-stein-nist]

All good! Again, if you want assistance with the review or any challenges in preparing and releasing the catalog, feel free to let us know. We want to support community adoption when we can reasonably pitch in, @pritikin and @apannetrat.

[mosi-k-platt]

@pritikin @apannetrat OSCAL rules could be a good use case for continuous audit metrics. @aj-stein-nist can provide more info if you have any questions after reading the doc.

[aj-stein-nist]

We fully agree with the goal. Where we needed to ref the CCMv4 controls we added them to our own yaml file - which was a bit of a hack.

Our understanding is the CCMv4 group will publish a full set. @apannetrat might have timeline info.

@apannetrat any update on this?